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Secure two-party cryptography is possible if the adversary's quantum storage device suffers im- 
perfections. For example, security can be achieved if the adversary can store strictly less then half 
of the qubits transmitted during the protocol. This special case is known as the bounded-storage 
model, and it has long been an open question whether security can still be achieved if the adversary's 
storage were any larger. Here, we answer this question positively and demonstrate a two-party pro- 
tocol which is secure as long as the adversary cannot store even a small fraction of the transmitted 
pulses. We also show that security can be extended to a larger class of noisy quantum memories. 



I. INTRODUCTION 

Two-party cryptography enables Alice and Bob to 
solve problems in cooperation even if they do not trust 
each other. Important examples of such tasks include 
auctions and secure identification. In the latter, Alice 
wants to identify herself to Bob (possibly a fraudulent 
ATM machine) without revealing her password. More 
generally, Alice and Bob wish to solve problems where 
Alice holds an input x (e.g. her password) and Bob holds 
an input y (e.g. the password an honest Alice should pos- 
sess), and they want to obtain the value of some function 
f{x,y) (e.g. 'yes' if x = y, and 'no' otherwise), as de- 
picted in Fig. |TJ Security means that Alice should not 
learn anything about y and Bob should not learn any- 
thing about x, apart from what can be inferred from 
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Contrary to quantum key distribution where honest 
Alice and Bob can work together to detect the presence 
of an outside eavesdropper 0, two-party cryptogra- 
phy is made difficult by the fact that Alice and Bob do 
not trust each other and have to fend for themselves. In- 
deed, two-party cryptography is impossible without mak- 
ing assumptions about the adversary, even when we allow 
quantum communication Q ■ The security of most cryp- 
tographic systems in use today is based on the premise 
that certain computational problems are hard to solve 
for the adversary. Concretely, security relies on the as- 
sumption that the adversary's computational resources 
are limited, and the underlying problem is hard in some 
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precise complexity-theoretic sense. While the former as- 
sumption may be justified in practice, the latter state- 
ment is usually an unproven mathematical conjecture. 

It is thus a natural question whether other, more phys- 
ical assumptions regarding the two parties' resources al- 
low us to obtain security without relying on any addi- 
tional hardness results. This is indeed known to be pos- 
sible if we assume that the adversary's classical [5|-|7| or 
quantum storage is limited 181-41 Oil or more generally if his 
memory is simply imperfect |l ll — tl 3| . 

Concretely, the assumption of the noisy-storage model 
entails that during waiting times At in a protocol, the 
adversary has to measure/discard all his quantum infor- 
mation except what he can encode (arbitrarily) into his 
quantum memory. Any quantum storage can be mod- 
eled as a completely positive trace preserving (CPTP) 
map T : B(H m ) —> £>(%out), that maps states p £ rl m 
to some noisy states T(p) e "H ou t- In this paper, we fo- 
cus on the case where the input space is an n-fold tensor 
product rli n = (C^)® 1 "™, the protocols involve n-qudits 
of communication and the noise is of the form T = M® v ' n 
with M : B(C d ) -> B(C d ). The constant v > is referred 
to as the storage rate as it captures the fraction of the 
transmitted qutiits that could could potentially be stored 
by the adversary. 

Clearly, the storage rate v plays a crucial role in decid- 
ing whether security can be obtained from a particular 
storage device. For example, in the case of bounded stor- 
age where we have no noise (M = I), we can never hope 
to obtain security if the adversary can store all quantum 
information made available to him during the protocol, 
that is, if v = 1 and the input space is Hm = (C d )® n . 
Apart from this trivial condition, however, no bounds 
were known that restrict our ability to obtain security. 
In Q it was shown that security can be achieved in a 
protocol based on qubits (d = 2) as long as v < 1/4. 
This was improved to v < 1/2 in [13[ . More generally, it 
was shown that security in the noisy-storage model can 
be obtained UM if 



FIG. 1: Secure Identification 
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where CV is the classical capacity of the quantum chan- 
nel Af. 



distribution, and whereas results from QKD may pro- 
vide some clues, they give only very little indication that 
higher dimensional states are useful for our problem. 



A. Results 

Here, we show that for the case of bounded storage, se- 
curity can be obtained if the cheating party can store all 
but a constant fraction of the transmitted pulses. That is, 
the trivial condition v < 1 stated above is in fact optimal! 
The honest players thereby need no quantum storage at 
all in order to execute the protocol. This not only set- 
tles the question, but also highlights the sharp contrast 
to the case of classical bounded storage, where it was 
shown that security can only be obtained if the adver- 
sary's classical storage is at most quadratic in the storage 
required by the honest players [1J]. Unlike the protocols 
in B 1, EH El which use BB84 encoded qubits @], we 
make use of states encoded in higher-dimensional mu- 
tually unbiased bases [33|. Of course, we also scale the 
storage size accordingly to Hi n = (C )®"' n when send- 
ing d dimensional states. More specifically, we show that 
security in the setting of bounded storage is possible as 
long as 



v < 



log(d+l)-l 
logd 
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where the r.h.s. approaches 1 for large d. We stress that 
for large values of d, the resulting protocols will be much 
harder to implement experimentally, and even though 
the errors decrease exponentially with n they converge 
very slowly for large d. Note, however, that here we are 
merely interested in exploring the fundamental physical 
limitations of this model. 

For the general setting of noisy quantum storage we 
further show that security is possible for devices J- = 
TV® 1 "™, where the channel M : B{C d ) -> B(C d ) satisfies 
the strong converse property [l5j . whenever 



Cm - v < log(d + 1) - 1 



(3) 



thus extending the range of storage devices for which 



we can prove security [13| |. Our proof thereby relies on 



an uncertainty relation for mutually unbiased bases, but 
is completely general in the sense that any other set of 
encodings satisfying such a relation could be used in our 
protocol instead. 

We would like to emphasize that that the setting con- 
sidered here differs greatly from quantum key distribu- 
tion (QKD) where higher dimensional states have 
also been used to some advantage. In QKD, Alice and 
Bob trust each other, but are trying to protect themselves 
from an outside eavesdropper. An important advantage 
gained by Alice and Bob in this setting is that they can 
work together to try and detect interference by such an 
eavesdropper. In contrast, in the scenario we are consid- 
ering there is no analogous way for Alice to check on any 
of Bob's actions, and vice versa. Hence, we require an en- 
tirely different proof of security as used in quantum key 



B. Techniques 

We first give an overview of the steps involved in ob- 
taining our result. The constant 1/2 in the bound (TTJ) 
is a result of using BB84 states in the protocol, and 
stems from an uncertainty relation for measurements in 
these two bases [IH . It is thus natural to consider a pro- 
tocol that uses more than two mutually unbiased bases 
(MUBs) for which uncertainty relations are known to ex- 
ist [13] • Our first step is to obtain a modified protocol 
for the simple two-party primitive weak string erasure 
which was originally introduced in [l3| , using the full set 
of d + 1 MUBs that are known to exist in prime power 
dimensions [l8|,[lj|. Next, we show that there is still a se- 
cure protocol for the cryptographic primitive of oblivious 
transfer using this variant of weak string erasure. This 
is done by purely classical post-processing of the output 
of the quantum primitive weak string erasure. Since it 
is known that any two-party cryp tog raphic problem can 
be solved using oblivious transfer [20( , this concludes our 
claim. 



II. WEAK STRING ERASURE 

We first show how to obtain a variant of the very sim- 
ple cryptographic primitive weak string erasure (WSE) 
introduced in [l3j . which we will call non-uniform weak 
string erasure; a formal definition can be found in Ap- 
pendix|XJ Intuitively, this primitive provides Alice with a 
string X n = (X u ...,X n ) e {0, 1, . . . , d- 1}", where each 
entry Xi takes on one of d possible values. Bob obtains 
a set of index locations I = \ ij G [n]}, where 

any index i G {1, . . . , n} =: [n] is chosen to be in I with 
some probability p. In addition, Bob receives the entries 
of the string X n corresponding to the indices X, which we 
denote by the substring Xx = (X il , X i2 , . . . , X im ). Se- 
curity here means that even if Alice is dishonest, she can- 
not learn which entries are known to Bob, i.e., she cannot 
learn anything about the index set T. Conversely, if Bob 
is dishonest, then his information about the entire string 
X n should still be limited in the sense that the probabil- 
ity that he can guess all of X n given his information B' 
is small. That is, 



P g uc SS (X\B') < 2 



-An 



(4) 



for some A > 0. This is equivalent [21[ to demanding that 
his min-entropy [12] denoted as H 00 (X n \B') p , obeys 

H 00 (X"|B')p = -\ogP guess (X n \B') > Xn . (5) 

In practice, we allow this condition to fail with error 
parameter e, which corresponds to demanding that the 
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smooth min-entropy defined as 

Kc(X n \B% 

:= sup 

P X 7l B l>0 

i\\Px^B'-Px^B' l|l< tr (Px"B')-' 

satisfies 

RUX n \B') > Xn . 
A. Protocol 



(6) 



^-oo{X n \B') p 



Next we outline a simple protocol that achieves the 
functionality described above. It is a st raig htforward 
generalization of the original protocol in [l3| to multi- 
ple encodings, the main difference being that the indices 
in X C [n] are no longer chosen uniformly at random. In- 
stead, the probability p that honest Bob learns the value 
of Xi for i G [n] is equal to the probability that he chooses 
the same basis as Alice, that is, p = l/(d + 1). In what 
follows, let 2t n J denote the set of all subsets of \n\. 



Let S g]0, 5 — CV ■ v\. Then, Protocol 1 securely imple- 
ments weak string erasure for sufficiently large n with 



A(<5, d) 



v ■ 7' 



N 



log(d + 1) - 1 - 5 



(9) 



and error e(5,d) = 2 exp(— /(5, d)n) with 



f(5, d) cx -6 2 / (Iog((d + 1) • d) + log A/S) 2 > 0, (10) 

where 7^ '(■) is the strong converse parameter of M fldij . 

Note that for bounded storage, where Af is simply the 
identity channel over Bob's d-dimcnsional input Hilbert 
space, CV = logd in (JSj) , which directly implies our cen- 
tral result (121). 

It is easy to see that the protocol is correct if both 
parties are honest: if Alice is honest, her string X n = x n 
is chosen uniformly at random from {0, 1, . . . , d — l} n as 
desired, and if Bob is honest, he clearly obtains ii = Xi 
whenever i € X for a random subset X C [n]. In the 
remainder of this section, we prove security if one of the 
parties is dishonest. 



Protocol 1: Non-uniform WSE 

Outputs: x n 6 {0,1,..., (2- 1}™ to Alice, (X,2 |x| ) G 
2H x {0,1,..., d- l} 111 to Bob. 

1: Alice: Picks an n-dit string uniformly at random, 
x n G {0, l,...,d— 1}". She encodes each dit into 
one of the d + 1 MUBs, Bg 1 , . . . 7 Bg n , that is, she 
chooses a basis string n = {6\, . . . , 9 n ) G {0, d} n 
uniformly at random, so that the dit Xj is encoded 
in basis Be j , and sends it to Bob. 

2: Bob: Chooses a basis string § n G {0,1,..., d}™ 
uniformly at random. When receiving the i-th 
qudit, he measures it in the basis Bg., to obtain 
outcome Xi- 

Both parties wait time At. 

3: Alice: Sends the basis information 9 n to Bob, 
and outputs x n . 

4: Bob: Computes X := {i G [n]\6i = 8i}, and 
outputs (X, xx). 



We now formally state our claim that this protocol 
does indeed implement non-uniform WSE, with the pa- 
rameters e, A and d. 

Theorem 1. Let Bob's storage be given by T = J\[®" n 
with a storage rate v > 0, where J\f satisfies the strong 
converse property ITU ] and the capacity C_\f of the channel 
M bounded by 



B. Security against dishonest Bob 

First of all, we need to show that even if Bob is dis- 
honest, he can nevertheless not learn much about the 
entire string X n . In other words, our goal is to show 
that there exists some A > satisfying 0. Our proof 
proceeds in three steps; technical details can be found in 
Appendix[X] First, we consider Bob's information about 
the string X n given only his classical information K, and 
the basis information O n he receives. This can be quan- 
tified using entropic uncertainty relations in terms of the 
Shannon entropy for d + 1 MUBs in [l?} • 

Using [23|, Theorem 4.22] these uncertainty relations 
imply a bound on Bob's information in terms of the 
smooth min-entropy 



H^(X n \KQ n ) p > log(d+l)-l 



(11) 



for any < 5 < | with e = 2 exp (— f{6, d)n), for 
y (<5, d) > 0. That is, the error decreases exponentially 
with n, as desired. Note that instead of mutually unbi- 
ased bases, we could have used any other form of encod- 
ings obeying such a strong uncertainty relation. 

Next we consider Bob's information, when in addition 
he is given the output of his storage device J-(Q). We 
know from l_3j that the uncertainty relation (llip deter- 
mines the rate at which Bob needs to send information 
through his storage device. Using [l]| Lemma 2.2] to- 
gether with (fTTj) we obtain 



Cm ■ v < log(d+ 1) - 1 . 



(8) 
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FIG. 2: Security regions (r, v) for weak string erasure (WSE) 
with depolarizing noise N(p) = rp + (l — r)I/d , in dimensions 
d = 4,5. Previously [l3|, security was shown in the regions 
below the dotted black curve for d = 4 and the dot-dashed 
green curve for d — 5. Our analysis extends the security 
region to the solid blue curve (d — 4) and the dashed red 
curve (d = 5) respectively. 



where, P^ cc (nR) is the average probability of sending a 
randomly chosen string x G {0, \] nR through the storage 
T [111- For noise of the form T = M® un , the r.h.s. of QH) 
is the success probability of sending vn bits at a rate 
R= (log(d+l)-l-£/2)/i/. The final step is to note that 
for channels satisfying the strong converse property fl5| , 
this success probability drops off exponentially with n 
according to the parameter j^(-), whenever R > CV- 
This gives the bound 

C N ■ v < \og(d + 1) - 1 - - . (13) 

Theorem Q] then follows by noting that exponential se- 
curity (in n) is possible for any constant 8 > 0. As 
an example of how our bound improves upon the ear- 
lier bound in [l3j |. we compare the corresponding secu- 
rity regions for WSE with depolarizing noise, i.e. when 
Af (p) =rp+(l- r)I/d, in Fig. d 



C. Security against dishonest Alice 



III. OBLIVIOUS TRANSFER 

Ultimately, we would like to use WSE to solve arbitrary 
two-party cryptographic problems. To this end, it suffices 
to implement the primitive oblivious transfer [351 ] , which 
can solve any two-party problem [20| . Informally, this 
primitive outputs two strings Sq,SI G {0,1} £ to Alice, 
and a choice bit C G {0, 1} and Sq to Bob. Security 
means that if Alice is dishonest, she should not learn 
anything about C . If Bob is dishonest, we demand that 
there exists some random variable C such that Bob is 
entirely ignorant about Sf_ c . That is, he may learn at 
most one of the two strings which are generated. 

Here, we state a simplified version of the actual pro- 
tocol which executes fully randomized oblivious transfer 
from WSE. This is a purely classical protocol, using the 
quantum primitive WSE. It contains all the essential in- 
gredients to understand the main steps of our security 
proof. A formal definition, as well as the full protocol 
can be found in Appendix [51 The only difference from 
the protocol presented in [13| is the fact that I is no 
longer uniform, and honest Bob only learns about pn 
entries xj, whereas in the case of uniform WSE [l3| he 
could learn roughly n/2. We hence introduce a new pa- 
rameter i] = 2(d+ 1) in the protocol, such that with high 
probability Bob learns at least njr\ of the indices. 

Our protocol uses two ingredients, privacy amplifica- 
tion and a primitive called interactive hashing, where we 
refer to [131 ] for an overview of these techniques. Pri- 
vacy amplification is well-known from its role in quan- 
tum key distribution {22j . Although interactive hashing 
is well-known within the realm of classical cryptography, 
it has only recently found applications in quantum infor- 
mation [13[. Intuitively, an interactive hashing protocol 
has the following properties: It takes as inputs a subset 
I t r (encoded as a string w) from Bob, and outputs two 
subsets 2o,2i G [n] (encoded as strings wo,wi) to both 
Alice and Bob. The protocol ensures that there exists a 
c G {0, 1}, such that I c = I tr , i-c, one of the two subsets 
it outputs is equal to Bob's original input. Note that 
since Bob knows his input, he can of course compute c. 
Nevertheless, interactive hashing ensures that Alice can- 
not learn which subset is the same as Bob's input, that 
is, Alice cannot learn c. Finally, interactive hashing has 
another important property we will need: Whereas Bob 
can choose one of these subsets (namely I c ), the choice 
of the other subset is not under his control. In fact, Zi_ c 
is essentially chosen at random. 



When Alice is dishonest, it is intuitively obvious that 
she is unable to gain any information about the index 
set I, since she never receives any information from Bob 
during our protocol. However, a more careful security 
analysis is required if we want to use weak string era- 
sure to build more complicated primitives like oblivious 
transfer. This argument is essentially analogous to [l3| . 
as outlined in Appendix for completeness. 



Protocol 2: Oblivious Transfer 

Outputs: (s 0! 4) 6 {0, l} f x {0, 1} £ to Alice, and (c, y l ) G 
{0,1} x {0,1} £ to Bob 

1: Alice and Bob: Execute WSE. Alice gets a 
string x n G {0,1,..., d- 1}", Bob a set 1 c [n] 
and a string s = xx- If |I| < n/rj, Bob chooses uni- 
formly at random a set X tr of size |Ztr| = n/r}. Oth- 
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crwise, he randomly truncates X to |X tr | of size n/r), 
and deletes the corresponding values in s. 

2: Alice and Bob: Execute interactive hashing with 
Bob's input w equal to a description of X tr = 
Enc(iu). Interpret the outputs wq and w\ as de- 
scriptions of subsets Iq and I\ of [n] . 

3: Alice: Chooses ro,ri 1Z and sends them to 
Bob. 

4: Alice: Outputs (sq,s[) := (Ext(xi ,r ), Ext(xzi ,ri)) 
using Ext : {0, . . . , d - l} n/r > x TZ -S- {0, 1}', the 
2-universal hash function known from quantum 
key distribution [22| . 

5: Bob: Computes c e {0, 1} with X = X c , and Xx 
from s. He outputs (c,y £ ) := (c, Ext(s,r c )). 



Xi of bits are known to Bob. Hence, Alice cannot learn 
C as desired. 

B. Security against dishonest Bob 

Again, it follows from weak string erasure that a dis- 
honest Bob gains only a limited amount of information 
about the string X n . The properties of interactive hash- 
ing ensure that Bob has very little control over the subset 
Xi_ c chosen by the interactive hashing. Therefore, by the 
results on min-entropy sampling [26| . Bob has only lim- 
ited information about the (fits in this subset. Privacy 
amplification [2^, Ht| can then be used to turn this into 
almost complete ignorance. 



IV. CONCLUSION 



We provide only an overview of our proof since it 
closely follows the steps in [lj|; details can be found in 
Appendix [5] To show that the protocol is correct we first 
use Hocffding's inequality 24j to show that except with 
exponentially small probability exp(— 2n/rj), Bob learns a 
sufficient number of indices to retrieve the desired string 
S c - 



A. Security against dishonest Alice 

To show that the protocol is secure against a cheating 
Alice, we have to show that there is no way for her to 
learn C, that is, which of the two strings is known to 
honest Bob. We again provide an overview of our proof, 
and defer the complete technical details to Appendix IB1 

First of all, note that the properties of weak string era- 
sure ensure that a dishonest Alice does not know which 
cfits xx of x n are known to Bob, that is, she is ignorant 
about the index set X. This is similar to the proof in [l3| . 
However, for our new protocol we encounter an additional 
difficulty since we need that even the truncated set X tr is 
uniform over subsets of size n/r], but X is no longer dis- 
tributed uniformly over 2^. Formally, the probability of 
a given truncated set X tr can be written in terms of the 
probability p(A) that |X| > n/r], as follows: 



p(x tr |i)= 



x 

\X\>n/j] 



Vti/t// 



1 



p(A) 



E 



\7l I T)J 



(14) 



independent of the choice of truncation as desired. Here, 
1 / Q^) is the probability of choosing the particular sub- 
set X tr from X and p(I\A) is the conditional probability of 
a set X, given that |X| > n/r]. The final equality is simply 
an application of Bayes' rule, p(A)p(I\A) = p(A\T)p(T). 
Finally, the fact that X tr is uniform together with the 
properties of interactive hashing (25j ensure that she can- 
not gain any information which of the two subsets X and 



We have shown that any two-party cryptographic 
primitive can be implemented securely in the setting of 
bounded quantum storage, even if the adversary can store 
all but a fraction of the transmitted pulses. This is op- 
timal, in the sense that we could never hope to achieve 
security if the cheating party could store all quantum 
communication made available to him. This demon- 
strates that there is no physical principle that prevents 
us from achieving security even with a very high storage 
rate v < 1. We have also shown in the noisy-storage set- 
ting that security is possible for a much larger range of 
noisy quantum memories. 

To achieve our result we use higher dimensional states 
which are very difficult to create in practice. It is there- 
fore an interesting open question, whether the same 
result could be obtained using merely BB84 encoded 
qubits. Note, however, that our approach merely relies 
on the existence of entropic uncertainty relations for mul- 
tiple encodings, and our protocols and proofs are com- 
pletely analogous if we were to use any other encodings 
for which strong uncertainty relations are known to exist. 
For example, it is conceivable that uncertainty relations 
for multiple encodings can be based on top of BB84 en- 
coded qubits [28j . which would immediately lead to a 
protocol that is easy to implement experimentally 
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Appendix A: Weak String Erasure 

To formally state our result, let us first define non- 
uniform weak st ring erasure. This definition closely fol- 
lows the one of |13|, except that the string X n is now 
chosen from a larger alphabet and the indices in I C [n] 
are not chosen uniformly at random. Instead, the proba- 
bility p that honest Bob learns the value of Xi for i G [n] 
is equal to the probability that he chooses the same basis 
as Alice, i.e., p = l/(d+ 1). In the definition below, we 
will need to talk about distributions over subsets I C [n] . 
Clearly, the probability that Bob learns a particular sub- 
set 1 satisfies 

Pr(Z) =p m (l - P ) n ~ m (Al) 

Note that we can write the subset X as a string 
(yi,...,y n ) G {0, 1}™ where y { = 1 if and only if i E 1, 
allowing us to identify \I) := \y\) ® . . . ® \y n ). The prob- 
ability distribution over subsets I C [n] can then be ex- 
pressed as (see also [l3|) 

*(p):= Yl P m (l-P) n - m \Z)(l\ ■ (A2) 

ZC2M 

Furthermore, we will follow the notation of [l3| and use 
to denote the uniform distribution over a set iS. 
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Definition 1 (Non-uniform WSE). An (n, A, e,p, d)- 
WSE scheme is a protocol between A and B satisfying the 
following properties: 

Correctness: If both parties are honest, then there 
exists an ideal state o~x n ix T * s defined such that: 

1. The joint distribution of the n-dit string X n and 
subset X is given by 



<Jx™i = r{o,i,...,d-i}n H , 



(A4) 



2. The joint state pab created by the real protocol is 
equal to the ideal state: pab = &x n ix x where we 
identify (A, B) with (X n ,XX x ). 

Security for Alice: If A is honest, then there exists 
an ideal state ax^B' such that 

1. The amount of information B' gives Bob about X n 
is limited: 



—H 00 (X n \B') cr > A 
n 



(A5) 



(ii) Suppose T = J\f® m for a storage rate v > 0, Af 
satisfying the strong-converse property and having 
capacity Cj^f bounded by 

Cm ■ v < log(d+ 1) - 1 . 

Let S G]0, \ — CV • v\. Then Protocol 1 is an 

( n> X(6,d),£(S,d),l/(d + l),d)-WSE protocol for 
sufficiently large n, where 



/fl ]og(d+l)-l-6 



A((5, d) = v ■ j 



Note that when A/" = Id then CV = log d, so that the 
bound in (|A14|) holds for a storage rate of 

log(d+l)-l 

v < « 1, tor large a. 

logd 

Thus for the case of bounded storage, security can in 
principle be obtained for any storage rate v < 1, provided 
we choose a large enough system size d. 



2. The joint state pab> created by the real protocol is 
e-close to the ideal state, i.e. o~x n B> ~e Pab' where 
we identify (X n ,B') with (A, B'). 



Security for Bob: If B is honest, then there exists 
ideal state a J 
fnl such that 



■ nx where X n € {0, 1, d - l} n and 1 C 



1. The random variable X is independent of A' X n and 
distributed over 2^ according to the probability dis- 
tribution given by (|A1|) : 



A'X n I ~ "A'X 



o A , ±n ® *(p) . 



(A6) 



2. The joint state pa 1 b created by the real protocol is 
equal to the ideal state: pa'b = °~a'(xXx)> w ^ ere we 
identify (A',B) with (A',XX X ). 

We are now ready to state our result for non-uniform 
weak string erasure more formally. We first state the 
general result for quantum memories, and then focus on 
the tensor- product channels of the type T = ]\[® v ' n . 

Theorem 2. (i) Let 8 G]0, ^[ and let Bob's storage be 
given by J- : B(H U1 ) — > B(H ou t)- Then Protocol 1 
is an (n, X(5,d),e(8,d),l/(d+ 1), d)-WSE protocol 
with min- entropy rate 



X(S, d) 



lim -Pf ucc ((log(d+l)-l-6)-n) 



n— >oo fi 

and error s {5, d) = 2 exp(— f{8 1 d)n) with 
(V4) 2 



f(S,d) 



32 (log((d+l).d)+bg|; 



> 0. 



(A7) 



1. Security for honest Alice 

Let us now first consider the case of dishonest Bob. 
The main difference from (l3T | in proving security lies in 
the use of the uncertainty relation for the full set of d + 1 
mutually unbiased bases in prime power dimensions [l7| ■ 
To see where we will make use of this relation, note that 
analogous to [l3| we can model Bob's attack as a CPTP 
map £ : i3((C d )® n ) B{%i n ®U K )- Then, for any input 
state p £ (C d )®" provided by Alice before the waiting 
time, he obtains an output state (,Q iY1 K = where 
Qi n is the quantum information he puts into his quantum 
storage and K is any additional classical information he 
retains. Hence, the joint state of Alice and Bob before 
his storage noise is applied is of the form 

Px^ KQ%n ^ ^|X"=x",e"=e-(fc) 



d n (d+l) n z 

\x n ){x n \®\e n ){o n \®\k){k\®t x n enh 



(A8) 



Ali, 



Bob 



where Cr™e™fc is the state on H ln depending on Alice's 
choice of string x n , bases 9 n and Bob's classical informa- 
tion k. Bob's storage then undergoes noise described 
by T : B(TL m ) — > B(H out ), and the state evolves to 
Px n B n KJ r (Q in )- After time At Bob also receives the basis 
info 0™ = 8 n . Then their joint state is 



pX™0™KF(Q ia ) 



1 



E 



p 



d n (d+l) n 
\x n ){x n \® \9 n )(6 n \® -F(C^fc) 

Alice Bob B' 

where Bob now holds B' = 6" K I \Q in ) . 



K\x n =x n ,e n 



(A9) 
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Our goal is to show that for any cheating strategy of 
dishonest Bob, his min-entropy about the string X n = 
(Xi, ...,X n ) is large, using an entropic uncertainty rela- 
tion. Recall that the set of (d + 1) MUBs in satis- 
fies [13] (see [HI for a simple proof) 



d + 



where 



, d+l 

— H(Bi\p) > log(d + 1) - 1, Vp £ C d , (A10) 



H{Bi\p) = -^Tr(|6f)(6f|p)logTr(|&f)(6f|p) (All) 



is the Shannon entropy of the probability distribution 
induced by measuring the state p in the basis Bi. This 
lower bound, along with the uncertainty relation for the 
smooth min-entropy from [23l Theorem 4.22] gives 



2. Security for honest Bob 

The proof of security when Alice is dishonest is es- 
sentially analogous to [13| (see Section 3.4 and Figures 
7 and 8), where we introduce an imaginary "simulator" 
with perfect quantum memory to define the desired ideal 
state. We hence merely state how to adapt the proof 
of fl3| : here we naturally obtain ^(p) in place of the uni- 
form distribution t 2 h in our simulation. Similarly, the 
subset X is not chosen uniformly at random, but with 
probability 



Pr(X) := 



1 



n — \X\ 



(A15) 



Appendix B: Oblivious Transfer from Weak String 
Erasure 



Hg 2 (X n \Q n ) p > (log(d+l)-l--)n 



for any < 5 < \ with 



! exp 



(S/4) 2 n 



32 (log((d + 1) • d) + log 



(A13) 



Finally, we make use of Lemma 2.2 in [13[ that relates 
the smooth min-entropy to the maximal decoding prob- 
ability, Pf ucc , to get, 

H^(X n \e n KJ^(Q m )) p 
> - log PLcc (n (log(d +1) -1-|) - log f) 
>-logP^ cc (»(log(d+l)-l)-n§) 

where the second inequality follows from the monotonic- 
ity of P^ cc and the fact that log | < |ra for < S < |. 
By definition of the smooth min-entropy, this implies that 
there exists an ideal state ax ™ B' such that 

1. OX n B' ~e pX n B', 

2. ^H x {X n \B% > -i logP s ^ cc (nlog(d + 1) - n - f n) 

which proves part (i) of Theorem [2l 

In the special case that T is the tensor product chan- 
nel T = J\[® vn , where A/" satisfies the strong converse 
property and CV ■ v < log(d+ 1) — 1, following the same 
steps as in [l3| we obtain that there exists an ideal state 
&x n b> that is er-close to px n b> and has a min-entropy 



We are now ready to show how oblivious transfer can 
be obtained even from the non-uniform variant of weak 
string erasure. To formally state our result we begin with 
the definition of oblivious transfer from [l3j . 

Definition 2. An (£, e)— fully randomized oblivious 
transfer (FROT) scheme is a protocol between Alice and 
Bob satisfying the following: 

Correctness: If both parties are honest, then the ideal 
state o~ s e s i cs i c is defined such that 

1. The distribution over Sq, Sf and C is uniform: 
a s^sic = T {o,iy ® T {0,1}« ® T {0,1} ■ 

2. The real state Ps^s^CY 1 created during the pro- 
tocol is e-close to the ideal state: 



l WB -),>^f '° e " i+1 »- 1 -^ >o, 



(A14) 

where 7 (•) is the strong converse parameter of the chan- 



nel M I15J. This proves part (ii) of Theorem O 



Ps e SiCY' ~e a S e SiCS l c 



(Bl) 



where we identify A = (Sq,Si) and B = 
(C,Y*). 

Security for Alice: // Alice is honest, then there exists 
i an ideal state o- s i s e B , c , where C is a random vari- 
able on {0, 1}, such that 

1. Bob is ignorant about Sf_ c : 

a Sf_ 3 e a B'C ~e T {0,l} e ® a S" c B'C • 

2. The real state Ps^s[B' created during the pro- 
tocol is e-close to the ideal state: 

Ps e a s[B' ~e Vs l a S{B< ■ 

Security for Bob: If Bob is honest, then there exists an 
ideal state o~ A , s i s e c such that 
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1. Alice is ignorant about C : 

VA>SbS{C = a A'S l S{ ® T {0,1} • 

2. The real state Pa'cy c created during the pro- 
tocol is e-close to the ideal state: 

PA'CY e ~e a A'CS e c ' 

where we identify B — (C,Y e ). 

In the main part of this text, we had restricted our- 
selves to considering a simplified protocol containing all 
the essential ideas of the protocol below. The actual pro- 
tocol is very similar, but for technical reasons we will 
work with to blocks of j3 elements each, instead of sam- 
pling individual elements Xj. Fortunately, the proto- 
col we will use for the case of non-uniform weak string 
erasure remains the same as in the case of weak string 
erasure with a small modification. Since p 1/2, the ex- 
pected number of cfits Xj that Bob will learn is of course 
no longer roughly n/2 as in the original setting [l3| • This 
requires the introduction of a new parameter n such that 
with high probability Bob will learn n/r) of the string's 
entries. We again require an encoding of subsets as 
strings. Since our subsets will now be smaller, we choose 
t such that 2* < < 2-2*, and an injective encoding 

Enc : {0, 1}* — > T, where T is the set of possible sub- 
sets of size m/n. Note that this again means that not all 
subsets can be encoded but at least half of them will. 



Protocol 2: WSE-to-FROT 

Parameters: Set n := 2(d + 1). Integers n,f3 such that 
to := n//3 is a multiple of rj. Outputs: (sq, s\) G {0, l} e x 
{0, l} e to Alice, and (c, y l ) G {0, 1} x {0, 1} £ to Bob. 

1: Alice and Bob: Execute [n, A, e, l/(d + 1), d}- 
WSE. Alice gets a string x n G {0,1, ...,d - 1}", 
Bob a set X C [n] and a string s = Xx- If \X\ < 
n/r], then Bob simply chooses Ztr from all subsets 
of size \X\ = n/rj uniformly at random. Otherwise, 
he randomly truncates Z to Zt r of size n/rj, and 
deletes the corresponding values in s. 



We arrange x n into a matrix z 
m Imx/3({0, l,...,d- 1}), by z jia := xy_ x yp +a 



G 
for 



(j, a) G [to] x 



2: Bob: 



1. Randomly chooses a string w* Gr {0, 1}* cor- 
responding to an encoding of a subset Enc(w*) 
of [to] with m/n elements. 

2. Randomly partitions the n dits of x n into m 
blocks of /3 dits each: He randomly chooses 
a permutation it : [m] x [ft] — > [m] x of 
the entries of z such that he knows 7r(z)Enc(iu f ) 
(that is, these dits are permutation of the cfits 



of s). Formally, 7r is uniform over permuta- 
tions satisfying the following condition: for 
all (J, a) G [to] x [/?] and (j',a') := x(j,a), 
we have (j — 1) • j3 + a £ I ^ j' G Enc(w*). 

3. Bob sends ir to Alice. 

3: Alice and Bob: Execute interactive hashing with 
Bob's input equal to w . They obtain Wq,w\ G 
{0,1}* with to* G {wl,w{}. 

4: Alice: Chooses r ,ri €r 1Z and sends them to 
Bob. 

5: Alice: Outputs {sq,s[) := 

(Bct(7r(z) Enc(u) t),ro), Ext(7r(z) Enc(u) t) ) ri)). 



6: Bob: Computes c, where w f 



and 



7r(z) Enc ( M ,t-) from s. He outputs (c,y) := 
(c, Ext(7r(z) Enc(u)t ),r c )). 



Theorem 3 (Oblivious Transfer). For any lu > (d + 

1) and > max{67,256w 2 /A 2 }, the protocol WSE-to- 



FROT implements an (£,43-2 512 ^ 



^ +2e)-FROT from 
one instance of of [n, A, e,p, d] -non-uniform WSE, where 

'u-l\ A A 2 



u ) 4(3+1) 512w 2 



n 



1. Security for Bob 

We first show that the protocol is secure against a 
cheating Alice. This can again be done following the 
steps of (l3| taking the non-uniformity into account. For- 
mally, let pA"GY l denote the joint state at the end of the 
protocol, where A" is the quantum output of a malicious 
Alice and (C, Y l ) is the classical output of an honest Bob. 
Following the same steps as in [13| we can construct an 
ideal state a a"w^w[c ~ ^A"w^w( ® T {o.i} that satisfies 
p A „ CY i = a A ,, cw i = o A ,, cs i c . 

It now again remains to be shown that Alice does not 
learn anything about C, that is, ga"S 1 S\C = &A"S e S* ® 
T{o,i}- From the properties of non-uniform WSE it iol- 
lows that o A ,^ nX = cr A ,x„ ®'$>(l/(d+l)). Since Bob ran- 
domly truncates 1 to X tr such that |X tr | = n/r], the trun- 
cated set is independent of A' . Furthermore, although X 
is not distributed uniformly over 2^ n \ we can show that 
the truncated set Ztr is indeed distributed uniformly over 
all subsets of size n/n. Intuitively this follows from the 
fact that the distribution of the set X depends only on 
the number of elements in X. Formally, the probabil- 
ity of a given truncated set X tr can be written in terms 
of the probability p(A) that \X\ > n/n as follows 



p(2tr|A) 



E 



ic[»] U/V 

\X\>n/ri 
1 



(B2) 



p(A) 



E 



\n/r}/ 
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independent of the choice of truncation. Here 1 / 
is the probability that we pick a particular I t r from the 
original I and p(I\A) is the conditional probability of a 
set I, given that Bob obtains a sufficient number of in- 
dices. The last step is simply an application of Baycs' 
rule, p(A)p(l\A) = p(A\l)p(l) where p(A\2) = 1 for the 
subsets 1 in the sum. Note that if \1\ < n/rj then Bob 
chooses a subset of the desired size uniformly at random 
from all subsets of size \X\ — n/rj and hence Pr(X tr ) is al- 
ways uniform. Hence, conditioned on any fixed W = w , 
the permutation II is uniform and independent of A'. It 
follows that the string W l is also uniform and indepen- 
dent of A' and II. From the properties of interactive 
hashing we are guaranteed that C is uniform and inde- 
pendent of Alice's view afterwards, and hence, 

°A"SiS{C = °A"S*S{ ® r {o,i} • 



2. Security for Alice 

The security proof for the case that Bob is dishonest 
is analogous to [13|, this time employing [ill Lemma 2.5] 
with a subset size of |<S| = m/rj. 



3. Correctness 

It remains to prove that if both parties are honest, 
then honest Bob can indeed learn the desired Sc- This 
requires us to show that for our choice of n, Bob can learn 
sufficiently many indices i € [n]. 

Lemma 1 (Correctness). Protocol WSE-to-FROT sat- 
isfies correctness with an error of 



43-2 . 

First we show using the Hocffding bound [24j |. that 
the probability that a subset of [n] where each entry is 
chosen with probability p = l/(d + 1) has less than n/rj 
elements is at most exp(— 2n/rj 2 ). Consider a sequence of 
independent random variables {X\, . . . ,X n }, which are 
bounded as follows: Pr(A 4 - EpQ) e [a,, b/\) = 1, VI < 
i < n. Then, Hoeffding's inequality states that the sum 
S = Xi + . . . + X n satisfies, 



Pr(E(5) - S > t) < exp 



2f 2 



(B3) 



In our context, Xi is the binary variable which takes 
on the value 1 if the index i £ I, and otherwise. The 
sum S is thus simply equal to \I\ , the number of elements 
in the index set I, which is a random subset of [n]. For 
the case of d + 1 encodings, Pr(Xi = 1) = l/(d + 1) and 
Pr(JQ = 0) = d/(d + 1), so that the expectation value 
satisfies 



E(S)=E([Z|) 



d+ 1 



(B4) 



Furthermore, we can take a, = and hi = 1 for all i. 
Applying Hoeffding's inequality to the sum S = \I\ gives 



Pr(- 



1 



exp 



HI > 



-2n 



1 



1 



-)< 



1 



(B5) 



Rearranging terms, we obtain the probability that a ran- 
dom set I has less than n/rj elements: 



PrflXl < 



V 



< exp 





1 r 




1 -2n 








d + 1 n_ 





(B6) 



Since our work is mainly a proof of principle, we do not 
yet care about optimality or efficiency. We simply pick 
a choice of n that will satisfy this condition, and set n = 
2(d + 1). Thus, the probability that a random subset of 
[n] has less than n/n elements is at most exp(— 2n/n 2 ). 

Let £ := 2~ n l r) ~ . We have to show that the state 
Ps l S[CY l a t the end of the protocol is close to the given 
ideal state & s e s eQ S e . As shown above, the probability 
that a subset of [n] has less than n/rj elements is at most 



exp(-2n/r7 2 ) < £ 



(B7) 



Hence, the probability that Bob does not learn suffi- 
ciently many indices when both parties are honest is at 
most £. Let A be the event that |I| > n/rj. It remains to 
show that the state Ps^S[CY e \A ' IS c l° se to the given ideal 

State 0~ t?e oer'qi ■ 

Note that the correctness condition of WSE ensures 
that the state created by WSE is equal to px n ix x = 
o-x^iXx, where a X "i = T{o,i,...,d-i}™ ® *(l/(rf + 1)). 
Since Tq and I\ are chosen independently of X n , Xx 
and Xx 1 have a min-cntropy of n/n each. Since I < 
n/2n < n/rj— 21ogl/£, it follows from privacy amplifica- 
tion that Sq is independent and £-close to uniform. Since 
dishonest Bob is only more powerful than honest Bob, we 
furthermore have from the proof against dishonest Bob 
that Sf_ c is independent and uniform except with an 



error of at most s = 41-2 512 " 2 ' 3 , where we used the 
fact that Bob is also honest during weak string erasure 
(e = 0). Finally, by the same arguments showing security 
for Bob we have that C is uniform and independent of 
Sq and S[. Hence, 

Ps' sic\A vs'sic ■ 

Since the extra condition on the permutation n implies 
that Bob can indeed calculate n(Z)E nc (n/) from Xx, we 
have that Y l = S l c . Using Pr[^] > 1 - £, we get 

Ps l S{CYt ~2£+<r o- s t s t cs t c . 

Finally, A < 1, j3 > 1 and oj > (d + 1) give us l/if = 
l/(4(d+ l) 2 ) > A 2 /(512w 2 ^). Adding up all errors and 
noting that 

1 A 2 

2 ■ 2~^ n < 2 ■ 2"^^s™ 
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gives our claim. 



